Unconditionally secure key distillation from multi-photons 
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In this paper, we prove that the unconditionaUy secure key can be surprisingly extracted from 
mtt/ti-photon emission part in the photon polarization-based QKD. One example is shown by ex- 
plicitly proving that one can indeed generate an unconditionally secure key from Alice's two-photon 
emission part in "Quantum cryptography protocols robust against photon number splitting attacks 
for weak laser pulses implementations" proposed by V. Scarani et ai, in Phys. Rev. Lett. 92, 
057901 (2004), which is called SARG04. This protocol uses the same four states as in BB84 and 
differs only in the classical post-processing protocol. It is, thus, interesting to see how the classical 
post-processing of quantum key distribution might qualitatively change its security. We also show 
that one can generate an unconditionally secure key from the single to the four-photon part in a 
generalized SARG04 that uses six states. Finally, we also compare the bit error rate threshold of 
these protocols with the one in BB84 and the original six-state protocol assuming a depolarizing 
channel. 

PACS numbers: 03.67.Dd 



Quantum key distribution (QKD) allows two separate 
parties, the sender Alice and the receiver Bob, to share 
a secret key with negligible leakage of its information to 
an eavesdropper Eve. The best known QKD protocol 
is BB84 protocol published by Bennett and Brassard in 
1984 JJ. Many aspects of the BB84 protocol including 
the unconditional security |^ |^ Q and its implementa- 
tions has been investigated. BB84 is unconditionally 
secure if Alice emits a single-photon. However, if Alice 
emits multi-photon. Eve in principle gets full information 
on bit values without inducing any bit error by exploiting 
a photon number splitting attack (PNS) j^. 

Recently, Scarani, et.al. have proposed a QKD 
(SARG04) that is robust against PNS attack. This pro- 
tocol uses exactly the same four states as the one in 
BB84, and only the classical data processing is different 
from BB84. A key goal of this paper is to demonstrate 
that among many modifications of BB84 8] , SARG04 is 
the first essential modification in the sense that it has a 
property that BB84-type QKD has never accomplished, 
i.e., one may generate a secure key not only from the 
single-photon part, but rather surprisingly also from a 
two-photon part. In SARG04, the classical part is mod- 
ified in such a way that after Alice's initial broadcast, 
the two remaining states are nonorthogonal. Thus, even 
by using PNS attack. Eve cannot discriminate the state 
deterministically. This is an intuition that one might ex- 
pect to generate a secure key from the two-photon part. 

We remark that this kind of secure key distillation is 
natural from the viewpoint of an unambiguous state dis- 
crimination It is known that an unambiguous dis- 
crimination among N states of a qubit space is only pos- 
sible when at least iV — 1 copies of the state are avail- 
able. This means in the case of four states that we have 
no chance to distill a key from more than the two-photon 
part, because if Eve succeeds the discrimination, then she 
can resend the corresponding state, while if she does not. 



then she sends vacuum state to Bob, which disguises for 
channel losses. In other words, there is no reason that 
forbids the generation of a secure key from both the single- 
photon and two-photon parts in a four-state protocol. 
By modifying only the classical part in BB84, SARG04 
might accomplish this. 

Note that SARG04 differs from BB84 only in the clas- 
sical communication. Thus, it is very interesting to see 
how only the classical communication of QKD changes 
its security, which is a fundamentally interesting ques- 
tion. This is related to the viewpoint of " Entanglement 
as precondition for secure QKD" in So far, many 

studies have been done to generate a single-photon source 
in experiments for QKD '5'|. Hence, the demonstration 
of a secure key from the two-photon part has an impact 
to that direction of studies. Moreover, from practical 
viewpoint, an experiment for SARG04 should not be so 
difficult once an experiment for BB84 is available (e.g. 
see 10]). It follows that to investigate which protocol 
one should perform is important from the practical view- 
point. In summary, to prove the unconditional security 
of SARG04 is an interesting question both from funda- 
mental and practical viewpoints. 

In this paper, we prove that the unconditionally secure 
key can be surprisingly extracted not only from single- 
photon part, but also from multi-photon part in the pho- 
ton polarization-based QKD, especially two-photon part 
in the SARG04 protocol. Thus, our result clearly shows 
that the modification of only the classical communica- 
tion part in QKD can change its quality. In this paper, 
we assume that Alice has a coherent light source and 
Bob has a single-photon detector with no dark count. 
To prove the security of the two-photon part, we gen- 
eralize the idea of "squash operation" in where the 
authors treat the multi-photon part just by assuming the 
worst case scenario for BB84. In our case, we cannot rely 
on this scenario, because this scenario completely denies 
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FIG. 1: Bob's measurement basis in the Bloch sphere. Note 
that the random rotation _R^^ just changes the definition of 
the outcomes and does not change the bases as a set. 

a chance to generate a secure key form the two-photon 
part. The generalization we made can widely apply to the 
multi-photon parts in most of polarization based QKD, 
such as a modified SARG04 protocol (based on six states) 
that we propose in this paper. In this protocol a secure 
key can be generated from the single to the four-photon 
part. 

This paper consists of the following. We first present 
our notations and describe how SARG04 works. After 
that, we prove the security of the protocol with the single- 
photon part and two-photon part. Finally, we compare 
the security of SARG04 with the one of BB84, and we 
end this paper with mentioning a natural generalization 
of SARG04 followed by a summary. 

We first define several notations. {|0a;), jlx)} is a X- 
basis for a qubit, which is related to Z-basis and Y- 
basis by = [|0,) + {-iy\U)]/V2} (j = 0,1) and 

{\jy) = [|0^)-hi(-l)^|l^)]/V2}, respectively. We define a 
filtering operator F = sin ||0a;)(0a;|-l-cos ||l2;)(la;|, a 7r/2 
rotation around F-axis R = cos ^Iqubit + sin |-(|l;j,) (O^rl — 
|0,)(1,|), and \ip,) = cosf |0,) + (-l)^' sin f where 
Iqubit = Yl]=o Note that R\ipi) = \ipo)- We in- 

troduce P(X|*)) = X|«')(*|Xt, |xo±) = 7|(|0.)|0,) ± 
|1.)|1.)), |X1±) = 7i(|0.)|l.) ± |1,)|0,)), W, ^) EE |^)«^ 
and \Tpj) satisfing ~ 0. 

We now explain how SARG04 works. Since this proto- 
col is similar to B92 protocol ^2 > explain SARG04 in 
the context of the modification of B92 protocol. Imagine 
the B92 where Alice randomly sends \v, ipj) {j — 0, 1) de- 
pending on the bit value j, while Bob performs the B92 
measurement where he randomly chooses a measurement 
basis from {\ipj'), |^/)} {j' = 0, 1) (see also Fig.QJ. If his 
measurement outcome is Tp^ or Tp^, which we call conclu- 
sive, then Bob broadcasts that he got a conclusive results. 
From the outcome, he can infer which bit value Alice sent 
to him, i.e., when the outcome is Tpi (^), he concludes 
that Alice sent bit value (1). 

We can convert the above B92 into SARG04 just im- 
posing Alice to perform a rotation R^ just before send- 
ing the state, and imposing Bob to perform a rota- 
tion R^^ just before performing the B92 measurement. 
Here, each of K and K' is randomly chosen from to 3 
(_R° = Iqubit)- After Bob performs the measurement, Al- 
ice broadcasts to Bob which B92 she has chosen, i.e., she 
broadcasts K. li K = K' , then Bob broadcasts whether 



the measurement outcome is conclusive or not, and if 
K ^ K' , then they discard all corresponding data. It 
is easy to see that Alice and Bob perform the same op- 
erations as in BB84 (see also Fig. Intuitively, the 
symmetrization of a quantum channel, including Eve's 
action, given by the random rotation R provides an ad- 
vantage to SARG04 over the B92. Actually, we will prove 
an error threshold of SARG04 that is independent of 
quantum channel losses, which is a big difference from 
the case for the B92 

Before proving the unconditional security of SARG04 
with I'-photon, we describe how we treat the case that 
Bob's measurement outcome is both ipji and '^pji'. This 
happens because of multi-photon detections or dark 
counts. In such a case, we impose Bob to decide his mea- 
surement outcome randomly. Note that Bob can equiva- 
lently do this by locally preparing a random qubit state 
followed by the measurement on it. We pessimistically 
assume that Eve prepares the qubit state instead of Bob. 
Since we can assume that Eve sends a qubit state in the 
non-ambiguity case, without threatening any security we 
consider Eve who always sends a qubit state or vacuum 
state to Bob. This process can be regarded as a "squash 
operation" Q. 

In order to prove the security of SARG04, we construct 
an unconditionally secure Entanglement Distillation Pro- 
tocol with i^-photon (EDP-i^) that can be converted 
to SARG04 with i^-photon. This protocol employs an 
EDP lU based on Calderbank-Shor-Steane (CSS) codes 
0,^3. In EDP-:/, Alice creates many pairs of qubits in 
the state |*(''))ab = ^(|0^)A|i^, <^o)b + |1;,)a|j^, <^i)b), 
and after randomly applying the rotation R^ to the sys- 
tem B, Alice sends the system B to Bob. On the other 
hand, Bob randomly applies the rotation R~^ to the 
qubit state, and then he performs a filtering operation 
whose successful and failure operation is described by 
Kraus operators F and \/ Iqubit — F'^^ respectively. Af- 
ter many repetition of state sending and Bob's operation, 
they use classical communication so that they keep the 
qubit pairs where Bob's filtering succeeds with K — K' . 
From these pairs, they randomly choose test pairs that 
are subjected to measurements in the 2'-basis by Alice 
and Bob. Thanks to random sampling theorem, the test 
pairs give us a good estimation of the bit error rate on 
the remaining pairs (code pairs) provided that the num- 
ber of the test and code pairs are large enough. If they 
can estimate the upper bound of the phase error rate on 
the code pairs, they can choose CSS codes that correct 
both bit and phase errors on the code pairs so that they 
share some maximally entangled states in the form of 
|Xo+)- Finally, by performing Z-basis measurement on 
those states, they share a secret key. 

To confirm that EDP-r/ is completely equivalent to 
SARG04, first note that Alice can perform Z-basis mea- 
surement just before sending the system B without 
changing any measurement outcome. It follows that Al- 
ice randomly sends \v,ipj) {j = 0,1), and this is ex- 
actly what Alice does in SARG04. Similarly, we can 
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FIG. 2: In the two-photon case (i.e., — 2), Alice first pre- 
pares three-qubit in the state of |^'''^^^-')ab. After some op- 
erations by Alice and Bob, they try to distill a key from a 
final state of the system A and B (black dots) if K = K' . 



allow Bob to perform Z-basis measurement just after 
the filtering operation, which is completely the same 
as the measurement randomly chosen from {Ivj'), I'ff)} 
basis {j' = 0,1). This can be seen by noting that 
F\j' JF^ = i|^j7)(^~7|. By combining the random 
rotation, it is obvious that Bob's operation in EDP-i/ is 
completely the same as the one Bob does in SARG04. 
Note that successful filtering events corresponds to the 
conclusive events. 

Since we have seen the equivalence of EDP-i/ to 
SARG04, we prove the security of SARG04 based on 
FiDP-i/. Note that the bit error rate on the code pairs 
is well estimated by the test pairs, hence all we have to 
consider is how to estimate the phase error rate on the 
code qubit pairs from the bit error rate. Intuitively, this 
phase error estimation is given by the symmetry of the 
rotations R, and the property of the filtering operation 

Ellll- Let us define p^]^ {L = {Bit, Phase, Fil}) 
as an expectation value for a particular l*^ qubit pair of 
the z^-photon part having an event in L, conditioned on 
arbitrary configurations of an event in L or the failure fil- 
tering including Bob's vacuum detection for the previous 
I — 1 pairs. Furthermore, let us define a random variable 
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"YTi^iP L where ^ is the number of 
events L with i/-photon actually has happened from 1"* 
pair to s*'* pair. By directly applying Azuma's inequality 

[r^ to ATI ^, one can show that Yld=iP^Lv ~^ ^l.v '^i^h 
exponentially as the number of pairs s increases. Thus, 
we have the following theorem. 

THEOREM: If Cp'^X^^ + C'pg, ^ ^ holds, then 
Ce^^^ + C" e^^^ is exponentially reliable as the number 
of successfully filtering states increases. Here e^^^/p/j *s 
the actual bit/phase error rate normalized by the actual 
successful filtering events. 

We emphasize that thanks to Azuma's inequality this 
theorem holds even when Eve performs the most general 
attack, including coherent attacks. Our theorem is a gen- 
eralization of the discussion in . Now, we are only left 
to obtain the inequality for a particular qubit pair in the 
form of Cpbit.i/ + C'pm.i^ ^ Pph,i/- 

We remark that the pessimistic assumption on the 
state Eve sends to Bob and the above theorem are impor- 
tant observations. With these observations, we are left 
only to calculate the state of a qubit pair state, and find 
the relationship that holds for any Eve's action, which are 



straight forward. Moreover, to simplify Eve's action, we 
define "trash" systems that are qubits originated from 
multi-photon, but Bob has no interest in. Since Bob 
never care about the state of "trash" after Eve's action, 
we can safely assume that the final state of each trash is 
in a particular state, say |02:)trash (see also Fig. 12)). Since 
we have put no assumption on Alice and Bob other than 
they use qubits, our basic strategy for the security proof 
can widely apply to any photon number part in most of 
polarization based QKD. 

For the later convenience, let Pq^^jt be the pair 
qubit state stemming from the i^-photon part. With 

this state, p^. 



is expressed as pm,!^ = Tr 



/'qubit 



PhitM 



Tr 



'^qub 



Tr 



itEm=+,-^(IXl,m»J, and pph^i. = 

Pqubit Em'=o,i Pi\Xm',-))\ . To obtain p^^^^.^, we first 

consider the final state of |^''''^-')ab after Alice, Bob, and 
Eve's operations with K — K' . This state is obtained by 
tracing out the every other pair from the total state, to 
which Eve has performed an arbitrary operation, includ- 
ing the one in coherent attacks. The final (unnormalized) 

state can be expressed as p^^^ — J2f Prh"^ ' where / is an 
index for an arbitrary matrix representing Eve's action 



E^^'"'' on z/-photon (181 . 



In the single-photon case (i.e., v = 1), "'"'^^ — 



/'qubit 



and pi^^"^ 



/^qubit ■ 



It 



is a bit te- 



dious but straight forward to see that Pph,i = |pbit,i 



for o'^'"=') 

Pqubit 



stemming from any E^^''^ ^\ 



Thus, 

by the linearity of the density matrix, we conclude 



that 



3jl) 
2 ^bit ■ 



Furthermore, one can also 



show that (XO-|PqubiVlXO-) > 2(xi+|PqubitVi 



and 



2(Al-|PqubitVl- 



> (xo-IPqubit 1X0-) always hold, 
which implies that there is a mutual information between 
phase and bit error patterns. 

In the two-photon case {v — 2), Pqubit^ and Pqubj^^' 

are obtained by taking projection to Pgn"^"* and Pgn"^"^' 
by I Oa;) trash that Can be expressed via a 2 x 2 matrix, 
E^'"^^ {u = 0, 1) 01 • It is tedious but straight forward 
to see that if y ^ g{x) = ^ (^3 - 2x + ^6 - GV^x + Ax'^ 
is satisfied, then a;pbit,i/=2 + yPm,i^=2 ^ Pph,i/=2 holds for 
[20l |. Thus, we pessimistically conclude that 



any 1^^ 



(2) 
--bit 



(2) (2) (2) 

^pii - Note that e^^ ^ even when ef,;^ 

,2 



because Inf[(7(a;)] ~ sin ^, which means Eve can get 
some information on the key without introducing any bit 
error in ly ~ 2 case. In v — 2 case, we cannot find any 
mutual information between the bit and phase errors. 

Since we have finished the phase error estimation, we 
can calculate the key generation rate for SARG04. By 
assuming the random hashing CSS code 0, |^, the 
key generation rate for z^-photon part Ri, is asymptot- 
ically represented by i?,^ = 1 — H{X^,Z^) where 
H{Xv, Zy) is the entropy of bit and phase error pattern 
in the i/-photon part. By solving i?^ ^ 0, we can show 
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that up to e^jj '--^ 9.68% (this is the same as the one re- 
cently obtained in (22] without the "preprocessing") and 

^bit ~ 2.71% (when x ~ 2.747) we can distill a secure key 
from the z^-photon part. To compare the bit error rate 
threshold of S ARG04 to the one of BB84, we assume that 
Eve simulates a depolarizing channel where a y-photon 
state p®'' evolves to (l - f ) p^'^ + f (lqubit/2)®''. Here, 

p is a depolarizing rate. Since el^^l = 4p/(3 + Ap) in 
this channel, the single-photon and two-photon part of 
SARG04 is secure up to p - 8.04% and p ~ 2.08%, re- 
spectively while BB84 with one-way classical communi- 
cation is secure up to p '--^ 16.5% Jj. 

We can express a total key rate R by using the de- 
coy state [i^, which allows us to use an imperfect light 
source and imperfect threshold detectors. This idea gives 
the lower bound of the fraction of Bob's conclusive re- 
sults conditioned on i^-photon emission as ^(v) and the 

upper bound of the bit error as ejj'j^j. From them, we 
can compute the upper bound of the conditional en- 
tropy of the phase error pattern given the bit error 
patter, which is denoted by H{Z„\Xi,). Hence, R — 

-^'conc/l(ebit) + C(i^) 

Here, Pconc is a fraction that Bob obtains the conclusive 



results and ebit is the bit error rate on every conclusive 
result. 

Note that our security analysis can directly apply 
to a modified six-state protocol, where Alice and Bob 
additionally perform a random 7r/2 rotation around 
{\(Pj'), |<^)} axis in SARG04. By following the discus- 
sion on the unambiguous state discrimination, we ex- 
pect that we may distill a secure key from the single 
to the four-photon part. Actually, one can show that 
we can indeed generate a secure key from i/-photon part 
up to the error rates of 11.2% (z/ = 1), 5.60% (i/ = 2), 
2.37% (i/ = 3), and 0.788% {v = 4), which correspond 
to p ~ 9.49%, p ~ 4.45%, p ~ 1.82%, and p ~ 0.595%, 
respectively, while p ~ 19.0% in the original six-state 
protocol with one-way classical communication |^ . 

In this paper, we prove that the unconditionally secure 
key can be extracted from mu/ti-photon emission part in 
the photon polarization-based QKD. Our result demon- 
strates clearly that by changing only the classical post 
processing protocol, the foundations of the security can 
change qualitatively. 

We thank J.-C. Boileau, J. Batuwantudawe, M. Koashi 
and F. Fung for helpful discussions. 
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